Equifax Shenanigans

Leigh
SecurityBytes
Published in
3 min readSep 15, 2017

As we enter the breach era, the sheer scale of the Equifax breach almost fails to register or most people; hundreds-of-millions of people being impacted is unimaginable for us. But one number — which seemed to be swallowed up by the wider story — was 44 million Brits are likely to be affected. Another enormous number for sure, but look at it this way: that’s about two-thirds of us.

The difficulty with the Equifax case though, is that none of us actually chose to be a customer of theirs in the first place. They’ve got our data through virtue of deals with other organisations (which we technically did choose to accept when we diligently read through the terms and conditions when we applied for bank accounts, loans, mortgages, credit cards, etc.) and what’s worse is that there’s no realistic way of you, as a consumer, opting out.

Whilst Equifax scramble to respond to the incident, further frustrations emerge when we learn that three of their executives may have sold their stock just before the breach was announced, potentially saving them millions of dollars in lost stock-market value.

But whilst the share price did take a hit, it will only be a temporary one. Equifax is one of the three big credit reference agencies and they’re going nowhere.

Some commentators are quick to point out that they’re actually the victim here. Usually a fair assessment in light of a breach — after all, they have been the victim of a crime. But what’s lost in this are the hundreds of millions of people who now find themselves having to pick up the pieces and deal with the fall out of someone else’s disaster.

And one thing that these hundreds of millions of people can rightly claim is that at least they didn’t do anything wrong. Less so for Equifax themselves.

The vulnerability which led to the breach was patched — in March 2017. Given that this breach probably happened around May 2017, it looks like there is a degree of negligence and culpability here on Equifax’s behalf.

Furthermore, taking a step back, one commentator pulled together an overview of Equifax’s attack surface. This level of complexity, sprawl, and mismanagement can easily be pointed to as a direct precursor to and cause of the catastrophe.

Need further evidence? They also had to scramble to pull a database off the internet which was protected only by the username and password combination of ‘admin’, after Brian Krebs reported on it.

This reeks of institutional mismanagement and ignorance of even basic information security principles.

But they’re not the only ones guilty of this. As companies grow — organically or through acquisition — so too does the complexity of the IT estate. And with complexity come workarounds. And with workarounds come exceptions, come waivers, come risks — and eventually comes your time on the front page.

But it doesn’t have to be like this — and there are some lessons that we can learn:

Firstly, and most importantly, this is the second high-profile information security incident this year which would have been wholly avoided through an effective patch management regime. Patching is dull, uninspiring, and generates neither headlines nor heroes. But it works.

Patching is dull, uninspiring, and generates neither headlines nor heroes. But it works.

Secondly, taking an attacker’s eye view of your estate is an essential step in minimising the opportunities that they will have to cause you harm. We’re Equifax aware that their footprint was so expansive?

Thirdly, pulling together the first two points is proper asset management. Knowing what you have, why you have it, and what state and exposure it has is one of the first steps companies should be taking in their attempts at protecting themselves.

Fourthly, understanding the scope of what ‘incident management’ means needs to improve. Once an incident is underway any and all company actions — or inactions — are going to be scrutinised by everyone. You need a play-book and you need to be drilled in running it steadily. This includes getting the message out to people — directly, through news media, and through social media, let alone actually getting down to the detail of determining what actually happened and how to recover.

And now, finally, we get to it: take information security seriously. Information security has now moved on from being some kind of esoteric after-thought in IT to needing to be considered part of the cost of doing business in the modern economy. Because whether you take it seriously or not, attackers are demonstrably taking it seriously and you don’t want your first foray into modern security to be played out across the news.

--

--

Leigh
SecurityBytes

Father, husband, security architect, Guardian.